getcifsacl: fix endianness bug in getcifsacl and add better bounds checks

getcifsacl must convert the access_req field from little endian. Also,
we should ensure that the "size" field in the ACE is reachable before
trying to access it.

Signed-off-by: Jeff Layton <jlayton@samba.org>

1 files changed, 11 insertions, 3 deletions

diff --git a/getcifsacl.c b/getcifsacl.c
index b832c50..c576fc0 100644
--- a/getcifsacl.c
+++ b/getcifsacl.c
@@ -31,6 +31,7 @@
 #include <unistd.h>
 #include <stdio.h>
 #include <stdlib.h>
+#include <stddef.h>
 #include <errno.h>
 #include <limits.h>
 #include <wbclient.h>
@@ -235,7 +236,15 @@ print_sid_raw:
 static void
 print_ace(struct cifs_ace *pace, char *end_of_acl, int raw)
 {
-	/* 16 == size of cifs_ace sans the cifs_sid */
+	uint16_t size;
+
+	/* make sure we can safely get to "size" */
+	if (end_of_acl < (char *)pace + offsetof(struct cifs_ace, size) + 1)
+		return;
+
+	size = le16toh(pace->size);
+
+	/* 16 == size of cifs_ace when cifs_sid has no subauths */
 	if (le16toh(pace->size) < 16)
 		return;
 
@@ -250,8 +259,7 @@ print_ace(struct cifs_ace *pace, char *end_of_acl, int raw)
 	printf("/");
 	print_ace_flags(pace->flags, raw);
 	printf("/");
-	print_ace_mask(pace->access_req, raw);
-
+	print_ace_mask(le32toh(pace->access_req), raw);
 
 	return;
 }